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(54) Identifying a specific combination of metering accounting vault and digitai printer 

(57) For preventing monitoring of postage indicia 
data which is sent from a postage metering vault to a 
remotely located digital printer (21 ) over a communica- 
tion link (C11) between the meter vault and the digital 
printer (21 ), the meter (11 ) is provided with an encryption 
engine (37) for encrypting postage indicia data utilizing 
an encryption key The digital printer (21 ) includes a de- 
cryption engine (53) for decrypting postage data re- 
ceived from said meter (1 1 ) utilizing the same encryption 
key and then prints a postage indicia pursuant to the 
decrypted postage indicia data. The postage meter (11) 
also includes a key manager (39) for generating new 
encryption key pursuant to a token which is either ran- 
domly generated or generated pursuant to an algorithm 
by a similar encryption key manager (61 ) located in the 
digital printer (21 ), which token is also used to generate 
the decryption key for the decryption engine (53). As a 
result, the encryption keys are the same. Upon power- 
up of the system or at such other preselected times, the 
print controller module of the digital printer (21) sends 
out an encrypted message to the meter (11). The mes- 
sage consist of a random number The encryption/de- 
cryption engine (37) of the vault decrypts the message. 
The vault then returns an encrypted new message to 
the print controller (23) which includes an encoded rep- 
resentation of the relationship of the two messages. Up- 
on receiving the new message from the vault, the print 
controller (23) decrypts the new message and verifies 
the relationship. The print controller (23) is then enabled 
to print a postage indicia. 
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Description 

The present invention relates to a postage metering 
system using digital printing and, more particularly, to a 
postage metering system wherein the postage account- s 
ing system is remotely located from the postage printer 

A conventional postage meter is comprised of a se- 
cure account system, also known as a vault, and an im- 
pact printing mechanism housed in a secure housing 
having tamper detection. The vault is physical secured 'o 
and operationally interlocl^ed to the printing mechanism. 
For example, it is now known to use postage meters em- 
ploying digital printing techniques. In such systems, the 
vault and digital printer remain secure within the secure 
housing and printing can only occur after postage has 's 
been accounted for. 

It is also known to employ a postage meter in com- 
bination with an inserting system for the processing of 
a mall stream. It has been determined that it would be 
beneficial to configure a postage metering system which 20 
empbys an inserter and digital printer in combination 
with a remotely located vault. However, it has also been 
determined as a security step to be beneficial to provide 
a means to assure that an authorized vault is driving the 
digital printers in order to insure proper postal account- 2S 
ing between the system user and postal services. Fur- 
ther, such systems may be equipped with remote funds 
resetting capability, therefore, it is necessary that the ac- 
counting records of the user, postal service and operator 
of the remote funds reset center be reconcilable with re- 30 
gards to a identifiable combination of vault and digital 
printing systems. 

It is an object of the present invention to present a 
method of preventing the operation of a digital printer to 
print a postage indicia unless the digital printer is in elec- ss 
tronic communication with a specific vault system. 

A new metering system includes a meter in bus 
communication with a digital printer for enabling the me- 
ter to be located remote from the digital printer. The me- 
ter includes a vault which is comprised of a micro con- 40 
troller in bus communication with an application specific 
integrated circuit (ASIC) and a plurality of memory units 
secured in a tamper resistant housing. The ASIC in- 
cludes a plurality of control modules, some of which are 
an accounting memory security module, a printer con- "5 
troller module and a encryption module. The digital print- 
er includes a decoder/encoder ASIC sealed to the print 
head ol the digital printer. The decoder/encoder ASIC 
communicates to the printer controller module via a 
printer bus. Communication between the printer control- so 
ler and the print head decoder/encoder ASIC interface 
is accomplished through a printer bus which communi- 
cations are encrypted by any suitable known technique, 
for example, using a data encryption standard (DES) al- 
gorithm. By encrypting the output of the printer controller ss 
module along the printer bus any unauthorized probing 
of the output of the printer controller to acquire and store 
the signals used to produce a valid postage print are 



prevented. If the electrical signals are probed, the data 
cannot easily be reconstructed into an indicia image by 
virtue ofthe encryption. The print head decoder consists 
of a custom integrated circuit located in proximity to the 
printing elements. It receives the output from the printer 
controller, decrypts the data, and reformats the data as 
necessary for application to the printing elements. 

The printer controller and print head controller con- 
tain encryption key manager functional units. The en- 
cryption key manager is used to periodically change the 
encryption key used to send print data to the print head. 
The actual keys are not sent over the interface, rather, 
a token representing a specific key is passed. The key 
can be updated every time the printer controller clears 
the print head decoder, after a particular number of print 
cycles, or after a particular number of state machine 
clock cycles. By increasing the number of encryption 
keys, the probability that the system will be compro- 
mised diminishes. 

In order to assure full and accurate accounting for 
the particular digital printer, upon power-up of the sys- 
tem or at such other preselected condition, the print con- 
troller module of the digital printer sends out an encrypt- 
ed message to the meter This message consists of an 
encrypted random number. The encryption/decryption 
engine of the postage meter decrypts the message. The 
meter then returns an encrypted new message to the 
print controller which includes an encoded representa- 
tion of the relationship of the two messages. Upon re- 
ceiving the new message from the vault, the print con- 
troller decrypts the new message and verifies the rela- 
tionship. The print controller is then enabled to print a 
postage indicia. 

Fig. 1 is a diagrammatic representation of a postage 
meter in combination with a remote printing mechanism 
in accordance with the present invention. 

Fig. 2 is a diagrammatic representation of the post- 
age meter micro control and printer micro control sys- 
tems in accordance with the present invention. 

Referring to Fig. 1 , the postage meter control sys- 
tem 1 1 is comprised of a micro controller 1 3 in bus com- 
munication with a memory unit 15 and ASIC 17. The 
printing mechanism 21 is generally comprised of a print 
controller 23 wliich controls the operation of a plurality 
of print elements 27 Data is communicated between the 
meter control system 11 and the print mechanism over 
a bus C11 . Generally, print data is first encrypted by an 
encryption module 1 8 and presented to the printer con- 
troller 23 through a printer controller module 19 of the 
ASIC 17. The data received by the print controller 23 is 
decrypted by a decryption module 25 in the print mech- 
anism 21 after which the print controller 23 drives the 
print elements 27 In accordance with the received data. 
The data exchanged between the two devices Is subject 
to interception and possible tampering since the electri- 
cal interconnects are not physically secured. Utilizing 
encryption to electrically secure the interface between 
the printer controller and print head reduces the ability 
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of an external intrusion of data to tlie print mechanism 
21 to drive unaccounted for posting by the printing 
mechanism 21. If the electrical signals are probed, the 
data cannot easily be reconstructed Into an indicia im- 
age by virtue of the encryption. The print head mecha- 
nism 21 consists of a custom Integrated circuit ASIC, 
more particularly described subsequently, located in 
proximity to the printing elements to allow physical se- 
curity such as by epoxy sealing of the ASIC to the print 
head substrate utilizing any suitable known process. 

Referring to Fig. 2, the meter control system 11 Is 
secured within a secure housing 10. More specifically, 
a micro controller 1 3 electrically communicates with an 
address bus All, a data bus D11, a read control line 
RD, a write control line WR, a data request control line 
DR and a data acknowledge control line DA. The mem- 
ory unit 15 Is also In electrical communication with the 
bus All and D11, and control lines RD and WR. An ad- 
dress decoder module 30 electrically communicates 
with the address bus All. The output from the address 
decoder 30 is directed to a data controller 33, timing con- 
troller 35, encryption/decryption engine 37, encryption 
key manager 39 and shift register 41 . The output of the 
address controller 30 operates in a conventional man- 
ner to enable and disable the data controller 33, timing 
controller 35, encryption engine 37, encryption key man- 
ager 39 and shift register 41 in response to a respective 
address generated by the micro controller 13. 

The data controller 33 electrically communicates 
with theaddress bus and data bus All and D 11, respec- 
tively, and also with the read and write control lines RD 
and WR, respectively. In addition, the data controller 33 
electrically communicates with the data request DR and 
data acknowledge DA control lines. The output from the 
data controller 33 is directed to an encryption/decryption 
engine 37 where the output dataf rom the data controller 
33 is encrypted using any one of several known encryp- 
tion techniques, for example, the DES encryption algo- 
rithm. The output from the encryption engine 37 is di- 
rected to the shift register 41 . The timing controller 35 
electrically communicates with the data controller 33, 
the encryption/decryption engine 37 and shift register 
41 for providing synchronize tlnrtlng signals to the data 
controller 33, the encryption/decryption engine 37 and 
shift register 41 . Thetimlngcontroller35 receives a input 
clock signal from a state machine clock 43. In the most 
preferred configuration, a encryption key manager 39 Is 
in electrical communication with the encryption/decryp- 
tion engine 37 for the purposes of providing added sys- 
tem security in a manner subsequently described. 

The printer mechanism 21 control ASIC includes a 
shift register 51 , decryption/encryption engine 53 and a 
print head format converter 55. The output from the shift 
register 51 is directed to the input of the decryption/en- 
cryption engine 53. Theoulput of the decryption/encryp- 
tion engine 53 is directed to the print head format con- 
verter 55. The timing controller 56 electrically commu- 
nicates with the shift register 51 , decryption/encryption 



engine 53, print head format converter 55 for providing 
synchronized timing signals to the data controller 33, the 
encryption/decryption engine 37 and shift register 41 . 
The timing controller 56 receives a input clock signal 

s from a state machine clock 59. in the most preferred 
configuration, a encryption key manager 61 is in electri- 
cal communication with the encryption/decryption en- 
gine 53 for the purposes of providing added system se- 
curity and communicating with the encryption key man- 

io ager 39 of the meter control system 1 1 . The printer con- 
trol ASIC electronically communicates with the print el- 
ements 63. Also provided is a verification circuit 66 
which receives data from the shift register 41 only during 
system power-up and outputs data to the decryption/en- 

TS cryption engine 53. 

In operation, upon power-up of the system or at 
such other selected times, the verification circuit in re- 
sponse to a power-up print command (Print Cmmd) from 
the meter control system 11 outputs a random number 

so message to the decryption/encryption engine which en- 
crypts the message in response to the power-up print 
command. The encrypted message is sent out to the 
meter The encryption/decryption engine 37 of the vault 
decrypts the message in response to the print com- 

25 mand. The micro controller then returns an encrypted 
new message to the print controller which includes the 
encoded representation of the relationship of the two 
messages. Upon receiving the new message from the 
vault, the print controller decrypts the new message and 

30 verifies the relationship in response to a new print com- 
mand. The print controller is then enabled to print a post- 
age indicia. The print controller is now enabled resulting 
In the engine 33 being set in a encryption mode and en- 
gine 53 being set in a decryption mode. 

35 Upon initiation of a print cycle, the micro controller 
1 3 generates the appropriate address and generates an 
active write signal. The less significant bits (LBS) of the 
generated address is directed to the address decoder 
30 and the most significant bits (MBS) are directed to 

40 the data controller 33. In response, the address decoder 
30 generates the enable signals for the data controller 
33, timing controller 35, encryption engine 37 and shift 
register 41 . The data controller 33 then generates a data 
request which then Is received by the micro controller 

45 13. The micro controller 1 3 then generates a read ena- 
ble signal which enables the microcontroller 13 to read 
the image data from the memory unit 15 and place the 
appropriate data on the data bus 01 1 . That data Is read 
by the data controller 33 which reformats the 32-bit data 

so messages into 64-bit data messages and passes the 
64-bit data messages to the encryption engine 37. The 
encryption engine 37 then encrypts the data using any 
suitable encryption algorithm and the encryption key 
supplied by the encryption key manager 39. The en- 

55 crypted data is then passed to the shift register 41 for 
serial communication of the encrypted data to the printer 
21. The operation of the data controller 33, encryption 
engine 37 and shift register 41 is synchronized by the 
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timing controller 35 whicli receives a clocking signal 
from the state machine clock 43. 

Over a communication bus C11, the encrypted se- 
rial data output from the shift register 41 Is directed to 
the shift register 51 of the printer 21 . Also carried over 5 
the bus C11 are the appropriate clock signals for clock- 
ing the data into the shift register 51 and a print com- 
mand (Print Cmmd). When the whole of the encrypted 
information has been transmitted, a clear signal is gen- 
erated over the bus C11 . The shift registers 51 of the io 
printer 21 reformats the encrypted data back into 64-bil 
parallel form and transfers the 64-bit data messages to 
the decryption engine 53 which decrypts the data using 
the same key used to encrypt the data which is provided 
by the encryption key manager 61 . The decrypted data is 
is then received by the print format converter 55 for de- 
livery to the print head driver which enables the appro- 
priate printing elements. It should now be appreciated 
that the process described in particularly suitable for any 
form of digital printer, such as, ink jet or thermal. Once 20 
the printing process has been completed a ready signal 
is sent to the meter over the bus C11 . 

The function of the encryption key manager in both 
printer controller and print head controller is to periodi- 
cally change the encryption key used to send print data 
to the print head. The actual keys are not sent over the 
interface, rather, a token representing a specific key is 
passed. This token may be the product of an algorithm 
which represents any desired compilation of the data 
passed between the meter and the printer over some 30 
predetermined period. The token is then sent to the en- 
cryption key manager 39 which generates an identical 
key based on the token. For example, the key can be 
updated every time the printer controller clears the print 
head decoder, after a particular number of print cycles, 35 
or after a particular number of state machine clock cy- 
cles. By increasing the number of encryption keys, the 
probability that the system will be compromised dimin- 
ishes. Preferably the selection of the encryption key is 
a function of the print head decoder. This is done be- 40 
cause if one key is discovered, the print head decoder 
could still be made to print by instructing the decoder to 
use only the known (compromised) key The print head 
decoder can be made to randomly select a key and force 
theprintercontrollertocomply Once the data is decrypt- 4S 
ed. It is vulnerable to monitoring or tampering. By seal- 
ing the decoder to the print head and using any suitable 
known tamper protection techniques, Ihe data can be 
protected. Such techniques include incorporating the 
decoder on the same silicon substrate as the printing so 
elements control, utilizing chip-on-board and encapsu- 
lation techniques to make the signals inaccessible, con- 
structing a hybrid circuit in which the decoder and print- 
ing elements controls are in the same package, utilizing 
the inner routing layers of a multilayer circuit board to ss 
isolate the critical signals from unwanted monitoring, 
and fiber optic or opto-isolation means. 

The provided description illustrates the preferred 



embodiment of the present invention and should not be 
viewed as limiting. The full scope of the invention is de- 
fined by the following claims. 



Claims 

1 . A method for verifying a specific operable combina- 
tion of postage metering controller to a remotely lo- 
cated digital printer over a communication link be- 
tween the meter controller and the digital printer 
comprising the steps of: 

providing said meter with means for encrypt- 
ing/decrypting data utilizing a encryption key; 
providing said digital printer with means for en- 
crypting/decrypting postage data utilizing said 
encryption key; 

generating a random number and encrypting 
said random number at said digital printer; 
transmitting said encrypted random number to 
said meter; 

decrypting of said random number and re-en- 
crypting said random number in such a way to 
have a known relationship to said original ran- 
dom number; 

transmitting said re-encrypted random number 
and known relationship to said digital printer; 
decrypting said re-encrypted random number 
and known relationship and verifying said rela- 
tionship: and 

enabling said digital printer upon verification. 

2. A method for verifying a specific operable combina- 
tion of postage metering controller to a remotely lo- 
cated digital printer over a communication link be- 
tween the meter controller and the digital printer as 
claim in claim 1 , further comprising the steps of: 

providing said postage metering vault with a en- 
cryption key manager for generating an encryp- 
tion key pursuant to a token; 
providing said digital printer with means of gen- 
erating said token; 

communicating said token to said postage me- 
ter vault; and 

generating a encryption key by said encryption 
key manager in said postage meter vault pur- 
suant to said token such that said encryption 
key of both of said encryption key managers are 
identical. 

3. A postage metering system having a postage meter 
remote from a digital printer used to print said post- 
age indicia, comprising: 

said postage meter having a micro controller 
and encryption-decryption means for encrypt- 
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ing and decrypting data pursuant to a encryp- 
tion l<ey in response to command signals from 
said micro controller; 

said digital printer having deorypting-epcryp- 
tion means for encrypting and decrypting data 5 
pursuant to a encryption key in response to 
command signals from said micro controller; 
communication means for communicating data 
between said postage meter and said digital 
printer; io e. 

said digital printer having means for generating 
a random number and causing said random 
number to be encrypted and causing said com- 
munication means to communicate said ran- 
dom number to said encryption-decryption '£ 
means of said meter, 

said micro controller having means for causing 
said encryption-decryption means to decrypt 
said random number and encode said random 
number in adesired relationship to said random 20 
number and causing said encoded random 
number and said relationship and causing said 
encryption-decryption means to encrypt said 
encoded random number and numeric relation- 
ship and cause said communication means to ss 
communicate encoded random number and 
said relationship to said decryption-encryption 
means; and 

said printer decryption-encryption means hav- 
ing verification means for verifying said de- so 
crypted encoded random number and said re- 7. 
lationship and enable said digital printer if ver- 
ification is successful. 

4. A postage metering system having a postage meter 3S 
remote from a digital printer used to print said post- 
age indicia as claimed in claim 3, further compris- 
ing: 

said postage meter having a encryption key 40 
manager means for generating an encryption 

key in response to a token; 

said digital printerhaving a encryption key man- 8. 
ager means for generating a new encryption 
key, when desired, as a function of said de- 4S 
crypted data, and generating said token as a 
function of said decrypted data; and 
communication means (or electronically com- 
municating said token to said postage meter 
encryption key manager. so 

5. A postage metering system having a postage meter 
remote from a digital printer used to print said post- 
age indicia as claimed in claim 3, further compris- 
ing: ss 

said postage meter having a encryption key 
manager means for generating an encryption 



key in response to a token; 
said digital printer having a encryption key man- 
ager means for generating a new encryption 
key, when desired, as a function of a randomly 
generated token: and 

communication means for electronically com- 
municating said token to said postage meter 

encryption key manager 

A method for verifying a specific operable combina- 
tion of postage metering controller to a remotely lo- 
cated digital printer over a communication link be- 
tween the meter controller and the digital printer, 
comprising the steps of: 

generating a random number and encrypting 
said random number at said digital printer; 
transmitting said encrypted random number to 
said meter; 

decrypting said random number and re-en- 
crypting said random number in such a way to 
have a known relationship to said original ran- 
dom number; 

transmitting said re-encrypted random number 
and known relationship to said digital printer; 
decrypting said re-encrypted random number 
and known relationship and verifying said rela- 
tionship; and 

enabling said digital printer upon verification. 

A method according to claim 6, further comprising 
the steps of: 

generating in said digital printer a token repre- 
senting a specific decryption key; 
communicating said token to said postage me- 
ter; and 

generating an encryption key in said postage 
meter pursuant to said token such that said en- 
cryption keys of said digital printer and said 
postage meter are identical. 

A postage metering system comprising a digital 
printer (21 ) used to print postage indicia, a postage 
meter (1 1 ) remote from said digital printer (21 ), and 
communication means (C11) for communicating 
data between said postage meter (1 1 ) and said dig- 
ital printer (21 ); 

said postage meter having a micro controller 
(13) and encryption-decryption means (18) for 
encrypting and decrypting data pursuant to an 
encryption key in rosponsG to command signals 
from said micro controller (13); 
said digital printer (21) having decryption-en- 
cryption means (25) for encrypting and decrypt- 
ing data pursuant to an encryption key in re- 
sponse to command signals from said micro 
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controller (13); 

said digital printer also having means (66) for 
generating a random number and for causing 
said decryption-encryption means (25) of said 
digital printer (21) to encrypt said random s 
number and cause said communication means 
(C1 1 ) to communicate said random number to 
said encryption-decryption means (18) of said 
meter (11), 

said micro controller (13) having means for io 
causing said encryption-decryption means (18) 
of said meter (11) to decrypt said random 
number and encode said random number in a 
desired relationship to said random number 
and causing said communication means (C11 ) is 
to communicate said encoded random number 
and said relationship to said decryption-en- 
cryption means (25) of said printer (21); and 
said printer decryption-encryption means (25) 
of said printer (21) having verification means 20 
(66) for verifying said decrypted encoded ran- 
dom number and said relationship and for en- 
abling said digital printer (21) if verification is 
successful. 

2S 

9. A postage metering system according to claim 8, 
wherein 

said digital printer (21 ) has an encryption key 
manager means (61 ) for generating a new en- 30 
cryption key, when desired, as a function of 
printer operation and for generating a token 
representing said new encryption key; and 
said postage meter (10) has an encryption key 
manager means (3a) for generating an identical 3S 
encryption key in response to receipt of said to- 
ken communicated electronically over said 
communication means (C11), from said printer 
encryption key manager (61). 

10. A postage metering system according to claim 8, 
wherein: 

said digital printer (21 ) has an encryption key 
manager means (61 ) for generating a new en- 45 
cryption key, when desired, as a randomly se- 
lected key and for generating a token repre- 
senting said new encryption key; and 
said postage meter (10) has an encryption key 
manager means (39) for generating an identical so 
encryption key in response to receipt of said to- 
ken communicated electronically over said 
communication means (C11), from said printer 
encryption key manager (61). 
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